Security & HIPAA

Built for buyers who can't afford a breach

You're betting your Medicare standing on this software. Here's exactly how Sothcare protects your patients' PHI — in plain language, with no hand-waving.

HIPAA-first

Architected for HIPAA from day one. A signed Business Associate Agreement (BAA) is in place with AWS, and we sign a BAA with every customer before any PHI is loaded.

Encryption everywhere

AES-256 encryption at rest and TLS 1.3 in transit. PHI is never stored or transmitted in the clear.

Access control

Mandatory multi-factor authentication (MFA) for admin roles, role-based access control (RBAC), and 20-minute idle session timeouts.

7-year audit log

Every access and change is recorded and retained for 7 years, meeting CMS and state documentation-retention requirements.

Isolated infrastructure

Private AWS RDS, multi-tenant isolation, and 35-day automated backups with point-in-time recovery.

SOC 2 Type II

Independent SOC 2 Type II audit is in progress; the report will be available in Q3 2026. We'll share it under NDA on request.

Where we are honest with you

SOC 2 Type II is in audit, not yet certified — we won't display a badge we haven't earned. We're an early-stage vendor and we'd rather you know exactly where we stand than be surprised in procurement. What we can show you today: the signed AWS BAA, our encryption and access-control configuration, the audit-log design, and a reference call with a live agency.

Ask our team a security question →

Want the full security packet?

We'll walk your compliance officer through the BAA, data-flow diagram, and audit-log design on a 25-minute call.

Book my 25-min demo